CVE-2026-45372
Publication date 29 May 2026
Last updated 26 June 2026
Ubuntu priority
Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cpp-httplib | 26.04 LTS resolute |
Fixed 0.26.0+ds-2ubuntu3+esm1
|
| 25.10 questing |
Fixed 0.18.7-1ubuntu0.25.10.2
|
|
| 24.04 LTS noble |
Fixed 0.14.3+ds-1.1ubuntu0.1~esm2
|
|
| 22.04 LTS jammy |
Fixed 0.10.3+ds-1ubuntu0.1~esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version: CVSS v3.0
Base score
9.9 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
References
Related Ubuntu Security Notices (USN)
- USN-8470-1
- cpp-httplib vulnerability
- 25 June 2026